Show
The ins and outs of the Three Lines of Defence model and the benefits and challenges of implementation.The Institute of Internal Auditors (IIA) published a global position paper in 2013, titled: The Three Lines of Defense in Effective Risk Management and Control. The concept has remained sufficiently important that a further position paper was published in June 2017 by the Chartered Institute of Internal Auditors, titled: The Three Lines of Defence, hereafter the 2017 paper. The 2017 paper stated: ‘Applying the three lines of defence model in an organisation is not a silver bullet for achieving effective internal audit. ‘Much also depends for example on the standing, scope and resourcing of the internal audit function. ‘However, if the positioning and governance structure for internal audit are wrong, its ability to support the board or audit committee in their challenging of management can be fatally undermined’. What is the Three Lines of Defence model?The IIA and the Institute of Directors endorse the 'Three Lines of Defence' model as a way of explaining the relationship between these functions and as a guide to how responsibilities should be divided: Source: CIAA website Three lines of defence
Is the model applicable to any organisation?In short, yes. The 2013 paper stated that the three lines of defence model is ‘appropriate for any organisation – regardless of size or complexity. Even in organizations where a formal risk management framework or system does not exist, the Three Lines of Defense model can enhance clarity regarding risks and controls and help improve the effectiveness of risk management systems’. The IIA position papers are part of their ‘Strongly Recommended’ category of guidance and compliance is not mandatory. The key benefits of implementing an effective modelTo implement an effective and efficient model across an organisation is not simple and requires vision and ongoing support from the Board and executive management in terms of direction and resources. Benefits are:
When implementation of the model failsThe Financial Stability Institute published Occasional Paper No 11 ‘The four lines of defence model’ for financial institutions in December 2015. The paper included a root cause analysis of how the implementation of the lines of defence model arguably failed in practice during significant banking scandals with the following key findings:
Three lines of defence in depthFor an explanation of the role of Internal Audit in the three lines of defence model and some of the practical day-to-day challenges of implementation under an often-ongoing climate of ‘doing more with less’ watch our for the second article on this topic ‘Internal audit: challenges of implementation'. Which of the following statements is an incorrect description of the role of internal auditors?The correct answer is a. Internal auditors are not permitted to assist external auditors because it would compromise the external auditor's independence. It is an incorrect statement because internal auditors assist external auditors during the auditing process to provide them with all the needed information.
Which of the following is not the role of internal audit department?The scope of the internal audit function does not include an assessment of the company's strategic management process.
Which of the following statements is not a distinction between independent auditors and internal auditors?ANSWER: C 16. Which of the following statements is not a distinction between independent auditing and internal auditing? a. Independent auditors represent third party users external to the auditee entity, whereas internal auditors report directly to management.
Which of the following actions by the internal auditor relates to the internal audit principle of objectivity?Correct Answer Rule of Conduct 2.3 under the objectivity principle states, "Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review."
|